25-GPU cluster cracks every standard Windows password in <6 hours

[Heath]

arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

Quote:

A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billion-guess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. As a result, it can try an astounding 958 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols. Such password policies are common in many enterprise settings. The same passwords protected by Microsoft's LM algorithm?which many organizations enable for compatibility with older Windows versions?will fall in just six minutes.

The Linux-based GPU cluster runs the Virtual OpenCL cluster platform, which allows the graphics cards to function as if they were running on a single desktop computer. ocl-Hashcat Plus, a freely available password-cracking suite optimized for GPU computing, runs on top, allowing the machine to tackle at least 44 other algorithms at near-unprecedented speeds. In addition to brute-force attacks, the cluster can bring that speed to cracks that use a variety of other techniques, including dictionary attacks containing millions of words.

"What this cluster means is, we can do all the things we normally would with Hashcat, just at a greatly accelerated rate," Jeremi Gosney, the founder and CEO of Stricture Consulting Group, wrote in an e-mail to Ars. "We can attack hashes approximately four times faster than we could previously."

Gosney unveiled the machine last week at the Passwords^12 conference in Oslo, Norway. He previously used a computer equipped with four AMD Radeon HD6990 graphics cards that could make about 88 billion guesses per second against NTLM hashes. As Ars previously reported in a feature headlined "Why passwords have never been weaker?and crackers have never been stronger," Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. In addition to the power of his hardware, his attack was aided by a 500 million-strong word list and a variety of advanced programming rules.

Using the new cluster, the same attack would move about four times faster. That's because the machine is able to make about 63 billion guesses against SHA1, the algorithm used to hash the LinkedIn passwords, versus the 15.5 billion guesses his previous hardware was capable of. The cluster can try 180 billion combinations per second against the widely used MD5 algorithm, which is also about a four-fold improvement over his older system.

The speeds apply to so-called offline cracks, in which password lists are retrieved by hackers who exploit vulnerabilities on website or network servers. The passwords are typically stored using one-way cryptographic hash functions, which generate a unique string of characters for each unique string of plaintext. In theory, hashes can't be mathematically reversed. The only way to crack them is to run guesses through the same cryptographic function. When the output of a particular guess matches a hash in a compromised list, the corresponding password has been cracked.

Full Article : rstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

[NatalieK]

Sounds like a piece of art

[PR_Dave]

Would be good for video encoding

[bronco67]

So....why? Isn't there something more productive to do with all that computing power?

[Why]

Quote:

Originally Posted by PR_Dave

Would be good for video encoding

it would be fast, but poor quality. GPU encoding results in lesser quality then CPU encoding, due to the way they are built.

the difference in quality is actually noticeable to the naked eye.

[Why]

and this is why hashes are bad. ;)

the computing power that is around today, all passwords are worthless.

[Rochard]

So it can do 350 billion guesses per second... But my computer can only done one request every five seconds. So there goes that idea.

[Ayla_SquareTurtle]

Quote:

Originally Posted by Rochard

So it can do 350 billion guesses per second... But my computer can only done one request every five seconds. So there goes that idea.

They use vulnerabilities in the OS to directly access the encrypted password file on your machine. Your machine doesn't have to be able to process the requests at that speed.

[JP-pornshooter]

doesnt most password protected application shut off after a few tries?
perhaps not software applications as much as "websites"?

[Ayla_SquareTurtle]

Quote:

Originally Posted by JP-pornshooter

doesnt most password protected application shut off after a few tries?
perhaps not software applications as much as "websites"?

Yes, but this is for cracking Windows which it does using the method I briefly explained above.

[Robbie]

Quote:

Originally Posted by Why

it would be fast, but poor quality. GPU encoding results in lesser quality then CPU encoding, due to the way they are built.

the difference in quality is actually noticeable to the naked eye.

You're dead wrong. GPU is better quality when rendering video.

You need to do some research. Why do you think that I and everyone else is using CUDA technology to render video using video cards with big GPU's?

[Robbie]

"GPU does a better job and is virtually identical to the master."

http://www.shawnlam.ca/2011/adobe-cs...-acceleration/

[JP-pornshooter]

Quote:

Originally Posted by Ayla_SquareTurtle

Yes, but this is for cracking Windows which it does using the method I briefly explained above.

speaking of cracking, i have a couple wifi networks i like to test some cracking techniques on.. any suggestions?
strictly for testing purposes only.

[GFED]

Quote:

Originally Posted by JP-pornshooter

speaking of cracking, i have a couple wifi networks i like to test some cracking techniques on.. any suggestions?
strictly for testing purposes only.

Backtrack + Reaver